Look for Form.Show function

Hunt Hypothesis

The Form.Show function may indicate an adversary attempting to load a malicious form or UI component to execute stealthy code or evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential post-exploitation activities that could lead to persistence or data exfiltration.

YARA Rule

rule Delphi_FormShow {
	meta:
		author = "_pusher_"
		description = "Look for Form.Show function"
		date = "2016-06"
		version = "0.1"
	strings:
		$c0 = { 53 8B D8 B2 01 8B C3 E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 5B C3 }
		//x64 rad
		$c1 = { 53 48 83 EC 20 48 89 CB 48 89 D9 B2 01 E8 ?? ?? ?? ?? 48 89 D9 E8 ?? ?? ?? ?? 48 83 C4 20 5B C3 }
	condition:
		any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A legitimate application using a GUI framework (e.g., PowerShell GUI scripts or C# Windows Forms) calls Form.Show() as part of its normal operation.
  Filter/Exclusion: Exclude processes associated with known internal applications (e.g., MyApp.exe), or filter by process name using process.name == "MyApp.exe".

• Scenario: Scheduled Task runs a script that displays a form for user input (e.g., a configuration tool or a maintenance utility).
  Filter/Exclusion: Exclude tasks associated with known administrative tools (e.g., ConfigurationTool.exe) using process.name == "ConfigurationTool.exe" or check the task name using task.name == "MaintenanceTask".

• Scenario: System Administration Task (e.g., using PowerShell or Task Scheduler) launches a form to gather user credentials or system information.
  Filter/Exclusion: Exclude processes launched by administrative tools or scripts (e.g., powershell.exe with specific command-line arguments) using process.name == "powershell.exe" and check for known admin scripts.

• Scenario: Third-party application (e.g., Microsoft Excel or Outlook Add-in) uses a form to display data or user prompts.
  Filter/Exclusion: Exclude processes associated with common third-party apps (e.g., excel.exe, outlook.exe) using process.name == "excel.exe" or process.name == "outlook.exe".

• Scenario: Automated Testing Tool (e.g., Selenium, UI Automation) interacts with a GUI application by invoking Form.Show() as part of a test script.
  Filter/Exclusion: Exclude processes related to testing frameworks (e.g., selenium.exe, testrunner.exe) using `process.name == “s